Etsy joins bug bounty crew

Powered by SC Magazine
 

Offers $500 minimum, a t-shirt and a high-five.

Online art and clothing store Etsy has opened a bug bounty program that would reward security researchers for reporting vulnerabilities found on the website.

The company would offer a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”. It did not state a maximum payout.

It would accept web application vulnerabilities such as Cross Site Scripting and Cross-site request forgeries, authentication issues, remote code execution, and authorisation problems within Etsy.com, the site’s application programming interface, and its mobile application.

“This means please do not test for: spam, social engineering, or denial of service vulnerabilities,” it said in a statement.

“You also must not disrupt any service or compromise anyone’s data.”

It said bug bounties were “industry best practice”.

The bug bounty program follows the company's publication of responsible disclosure policies in April that eliminated fear of legal action in response to unauthorised security tests and encouraged researchers to report vulnerabilities.

Those who previously reported flaws will be paid under the new program.

Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities.

PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities.

Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a "full Chrome exploit", which involves an attack that leverages only vulnerabilities in the Chrome browser. 

It paid $50,000 for a "partial Chrome exploit", which requires the use of bugs in third-party software.

But Microsoft considers bug bounties superfluous. Its security response centre was inundated with free vulnerability reports from researchers looking for fame, not fortune. Up to 80 percent of Microsoft vulnerabilities were privately and freely reported.

Redmond has instead chosen to pay up to $20,000 under its BlueHat competition to researchers who create defensive technologies which block a class of exploits.

Copyright © SC Magazine, Australia


Etsy joins bug bounty crew
 
 
 
Top Stories
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
 
Sending in the drones
Margins are getting tighter in the industrial services industry, so Transfield Services' Stephen Phillips looks offshore - and to the skies - for the solutions he needs to keep pace.
 
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Windows 10 has an edition to suit everyone's needs
May 15, 2015
Microsoft unveils a mind-melting six editions of Windows 10 ahead of its Winter 2015 launch. ...
Firefox 38 FINAL released, debuts new tab-based preferences
May 13, 2015
Mozilla has unveiled the latest version of Firefox 38.0 FINAL for desktop, with Firefox for ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  43%
 
No
  57%
TOTAL VOTES: 536

Vote